本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 對與 Yamaha 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
<a name="Yamaha_Troubleshooting"></a>

當您對 Yamaha 客戶閘道裝置的連線問題進行故障診斷時，請考量四件事：IKE、IPsec、通道和 BGP。您可依任何順序故障診斷這些區域，但建議您從 IKE 開始 (網路堆疊底部的)，一路向上。

**注意**  
根據預設，IKE 第 2 階段中使用的 `proxy ID` 設定會在 Yamaha 路由器上停用。這可能會造成連線至 Site-to-Site VPN 的問題。如果您的路由器上未設定 `proxy ID` ，請參閱 AWS提供的範例組態檔案，以便 Yamaha 正確設定。

## IKE
<a name="YamahaIKE"></a>

執行下列命令。回應顯示客戶閘道裝置的 IKE 設定正確。

```
# show ipsec sa gateway 1
```

```
sgw  flags local-id                      remote-id        # of sa
--------------------------------------------------------------------------
1    U K   YOUR_LOCAL_NETWORK_ADDRESS     72.21.209.225    i:2 s:1 r:1
```

您應該會看到一行包含通道中所指定遠端閘道的 `remote-id` 值。您可藉由省略通道編號，列出所有安全關聯 (SA)。

如需進一步故障診斷，請執行下列命令啟用提供診斷資訊的 DEBUG 層級日誌訊息。

```
# syslog debug on
# ipsec ike log message-info payload-info key-info
```

若要取消記錄的項目，請執行下列命令。

```
# no ipsec ike log
# no syslog debug on
```

## IPsec
<a name="YamahaIPsec"></a>

執行下列命令。回應顯示客戶閘道裝置的 IPsec 設定正確。

```
# show ipsec sa gateway 1 detail
```

```
SA[1] Duration: 10675s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Protocol: IKE
Algorithm: AES-CBC, SHA-1, MODP 1024bit

SPI: 6b ce fd 8a d5 30 9b 02 0c f3 87 52 4a 87 6e 77 
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------
SA[2] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: send
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: a6 67 47 47 
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------
SA[3] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: receive
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: 6b 98 69 2b 
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------
SA[4] Duration: 10681s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Protocol: IKE
Algorithm: AES-CBC, SHA-1, MODP 1024bit
SPI: e8 45 55 38 90 45 3f 67 a8 74 ca 71 ba bb 75 ee 
Key: ** ** ** ** **  (confidential)   ** ** ** ** **
----------------------------------------------------
```

對於每個通道界面，您應該都會同時看到 `receive sas` 和 `send sas`。

如需進一步故障診斷，請使用下列命令啟用除錯。

```
# syslog debug on
# ipsec ike log message-info payload-info key-info
```

執行下列命令以停用除錯。

```
# no ipsec ike log
# no syslog debug on
```

## 通道
<a name="YamahaTunnel"></a>

首先，請檢查您有沒有必要的防火牆規則。如需規則清單，請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md)。

如果您的防火牆規則設定正確，則繼續使用下列命令來進行故障診斷。

```
# show status tunnel 1
```

```
TUNNEL[1]: 
Description: 
  Interface type: IPsec
  Current status is Online.
  from 2011/08/15 18:19:45.
  5 hours 7 minutes 58 seconds  connection.
  Received:    (IPv4) 3933 packets [244941 octets]
               (IPv6) 0 packet [0 octet]
  Transmitted: (IPv4) 3933 packets [241407 octets]
               (IPv6) 0 packet [0 octet]
```

確定 `current status` 值為上線，而且 `Interface type` 為 IPsec。確定均於這兩個通道界面上執行此命令。若要解決此處的任何問題，請檢閱組態。

## BGP
<a name="YamahaBGP"></a>

執行下列命令。

```
# show status bgp neighbor
```

```
BGP neighbor is 169.254.255.1, remote AS 7224, local AS 65000, external link
  BGP version 0, remote router ID 0.0.0.0
  BGP state = Active
  Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
  Received 0 messages, 0 notifications, 0 in queue
  Sent 0 messages, 0 notifications, 0 in queue
  Connection established 0; dropped 0
  Last reset never
Local host: unspecified
Foreign host: 169.254.255.1, Foreign port: 0

BGP neighbor is 169.254.255.5, remote AS 7224, local AS 65000, external link
  BGP version 0, remote router ID 0.0.0.0
  BGP state = Active
  Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
  Received 0 messages, 0 notifications, 0 in queue
  Sent 0 messages, 0 notifications, 0 in queue
  Connection established 0; dropped 0
  Last reset never
Local host: unspecified
Foreign host: 169.254.255.5, Foreign port:
```

應會列出兩個鄰近項目。每一個都應該會看到 `BGP state` 的數值為 `Active`。

如果 BGP 對等互連已啟動，請確認您的客戶閘道裝置是否向 VPC 公告預設路由 (0.0.0.0/0)。

```
# show status bgp neighbor 169.254.255.1 advertised-routes 
```

```
Total routes: 1
*: valid route
  Network            Next Hop        Metric LocPrf Path
* default            0.0.0.0              0        IGP
```

此外，確定您會從虛擬私有閘道收到對應至您 VPC 的字首。

```
# show ip route
```

```
Destination         Gateway          Interface       Kind  Additional Info.
default             ***.***.***.***   LAN3(DHCP)    static  
10.0.0.0/16         169.254.255.1    TUNNEL[1]       BGP  path=10124
```